An out-of-bounds read/write flaw was discovered in the way QEMU's Firmware Configuration device emulation processed certain firmware configurations. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance or, potentially, execute arbitrary code on the host with privileges of the QEMU process.

Qemu emulator built with the Firmware Configuration device emulation support is
vulnerable to an OOB r/w access issue. It could occur while processing firmware
configurations, if the current configuration entry value was set to be
invalid(FW_CFG_INVALID=0xffff).
A privileged(CAP_SYS_RAWIO) user/process inside guest could use this flaw to
crash the Qemu process instance resulting in DoS OR potentially execute
arbitrary code with privileges of the Qemu process on the host.
Upstream fix:
-------------
-> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00428.html
Reference:
----------
-> http://www.openwall.com/lists/oss-security/2016/01/12/10